Mortgage Banking Letters

The purpose of this guidance letter is to clarify the New
York State Banking Departments (the Departments) position on the appropriate
use of third party firms to perform the internal audit function. This letter also provides
general guidance to enhance internal controls and management stewardship. The Department
believes the use of outside accounting firms can be an effective management tool provided
management adopts policies designed to safeguard against conflicts of interest and
inappropriate delegation of responsibilities.

Management, including the board of directors, is
responsible for establishing and maintaining an effective internal control system. This
responsibility cannot be delegated to parties outside the institution. Competent and
independent internal and external auditors are crucial to effective internal controls.

When an institution outsources one or more of its internal
audit functions, the Department requires compliance with applicable standards established
by the American Institute of Certified Public Accountants (AICPA). The firm performing the
internal audit function must not make management decisions or perform management
functions. All work products under an outsourcing arrangement must be readily available to
the Department and be in the English language. In general, the Department discourages
institutions from using the same firm to perform both internal and external auditing.
While the Department recognizes that such an arrangement may be seen by smaller
institutions as more cost-effective, an institutions reliance on a single firm
increases the possibility that both internal and external audits may lack independence,
thereby increasing the risk of undetected internal control breakdowns.

At least annually, management and the board of directors
should obtain explicit assurances that their external auditors comply with standards
established by the AICPA. When fees for consulting work performed by the same firm that
performs audits represent a significant amount in comparison to the external and/or
internal audit fees, the independence of the auditors may be questioned. An external
auditor who also provides bookkeeping services for an institution will have difficulty
asserting his or her independence. On an annual basis, management should evaluate its
engagements with its external auditors, outsourcing firms, and consultants to ensure
continued effectiveness of these relationships. The Department expects management to
annually assess the effectiveness of firms that perform both internal and external
auditing and report its conclusions to its appropriate oversight body (e.g., board of
directors, audit committee, head office). The oversight body should formally review such
arrangements on an annual basis.

If internal controls are determined by examiners to be
inadequate, management must reassess its internal controls, including its relationships
with internal auditors, external auditors, and consultants. Particular attention must be
directed to relationships where a firm performs work on overlapping engagements.
Furthermore, institutions with inadequate internal controls will be subject to supervisory
action. Such action may include the requirement to change external auditing, internal
auditing, and consulting firms, especially when the same firm performs more than one
function. The Department may also require audited financial statements and other special
reports from an independent firm engaged with the Departments approval.

In any case, management should promptly report instances
of significant error or possible fraud to the Department. Management should avoid the
temptation to defer notifying the Department until a more complete explanation becomes
known or the issue is substantially resolved. The Department expects to be promptly
notified of such errors and frauds, and will consider the failure to do so as grounds for
potential supervisory action.

Your institutions internal controls and compliance
with this letter will be reviewed by Department examiners as part of their overall
supervisory examinations.

Questions concerning the topics
discussed in this letter should be directed to Chief of Regulatory Accounting John
McEnerney at (212) 618-6953 or by email at john.mcenerney@banking.state.ny.us.